Computerized records and database are employed in many industries. Often, the information is made available subject to usage rights limitations. For example, copyright information is generally controlled by the copyright owner, such that copying is controlled or prohibited after publication. In a digital environment, each transmission of the content results in a form of copying, such that a copyright owner cannot impose a strict prohibition on all forms of copying while promoting digital use of the content. Thus, the publisher or content owner seeks to apply rules that provide appropriate compensation.
In other instances, the issue is not content, but rather security and privacy. In these cases, the rules limit access based on an authorization, which may be express or implied. Medical and legal records are examples of this form of content limitation.
Conceptually, implementation of an economic permission and security permission based access control systems are similar. In fact, security based access control systems often include logs and audit trails, which are similar to the accounting databases associated with economic permission systems. Thus, many issues raised by these systems are similar.
Medical Records
The art of medical record keeping has developed over centuries of medical practice to provide an accurate account of a patient's medical history. Record keeping in medical practice was developed to help physicians, and other healthcare providers, track and link individual “occurrences” between a patient and a healthcare provider. Each physician/patient encounter may result in a record including notes on the purpose of the visit, the results of physician's examination of the patient, and a record of any drugs prescribed by the physician. If, for example, the patient were referred to another clinic for additional testing, such as a blood analysis, this would form a separate medical encounter, which would also generate information for the medical record.
The accuracy of the medical record is of the utmost importance. The medical record describes the patient's medical history, which may be of critical importance in providing future healthcare to the patient. Further, the medical record may also be used as a legal document, as a research tool and to provide information to insurance companies or third party reimbursors.
Over the years, paper medical records have evolved from individual practitioners' informal journals to the current multi-author, medical/legal documents. These paper records serve as the information system on which modern medical practice is based. While the paper-based medical record system has functioned well over many decades of use, it has several shortcomings. First, while a paper-based record system can adequately support individual patient-physician encounters, it fails to serve as a source of pooled data for large-scale analysis. While the medical data in the paper-based records is substantial, the ability to adequately index, store and retrieve information from the paper-based mechanisms prevents efficient analysis of the data. Thus, paper medical records could be a rich source of information for generating new knowledge about patient care, if only their data could be accessed on a large scale. Second, each portion of the paper-based record is generated and kept at the site of the medical service. Hence, the total record may be fragmented among many sites. Consequently, access by off-site physicians is less than optimal. The inability to access a complete medical record in a short period of time presents problems both for individual care and group care of patients. Because of the shortcomings of the paper-based record, the electronic medical record (or “EMR”) has been investigated for a number of years. An electronic medical record may be stored and retrieved electronically through a computer.
Clinical information as expressed by health care personnel is typically provided in natural language, e.g., in English. While phrases in natural language are convenient in interpersonal communication, the same typically does not apply to computerized applications such as automated quality assurance, clinical decision support, patient management, outcome studies, administration, research and literature searching. Even where clinical data is available in electronic or computer-readable form, the data may remain inaccessible to computerized systems because of its form as narrative text. Thus, while medical records may be maintained in electronic form, significant efforts are necessary in order to make the information available for automated analysis.
For computerized applications, methods and systems have been developed for producing standardized, encoded representations of clinical information from natural-language sources such as findings from examinations, medical history, progress notes, and discharge summaries. Special-purpose techniques have been used in different domains, e.g., general and specialized pathology, radiology, and surgery discharge reports.
Medical information poses significant challenges to knowledge management systems. Medical information presently includes multimedia file types, including numeric data, text, scanned text images, scanned graphic images, sound (e.g., phonocardiography and dictation), high resolution images (radiology) and video (ultrasonic imaging and fluoroscopy). The medical records for an individual may, overtime, grow to multiple megabytes or even gigabytes of data, and advanced medical techniques promise to increase the available data. These records come from a number of different medical service providers, and may be stored in geographically disparate locations. Often, a new medical service provider will seek to review all appropriate previous medical records for a patient. Further, in third party reimbursement situations, the third party indemnity will seek to review records in connection with billed services.
On the other hand, medical records include data that is intensely personal, including personal data such as sexual habits, drug abuse, psychological disorders, family histories, genetics, terminal diseases, or other injuries, and the like. Thus, while there are legitimate reasons for transmitting medical information files, such transmission must be limited to appropriate circumstances and to authorized recipients.
In today's practice environment, the inability of healthcare providers, administrators, insurers, researchers and governmental agencies to rapidly access and/or extract information from paper-based medical records represents a serious limitation with significant scientific and economic ramifications. Electronic medical record systems are expected to improve healthcare delivery by enhancing case management capabilities, and by leading to clinical practice research databases that provide valuable information on patient outcomes and clinical effectiveness.
While there have been attempts to develop computer database architectures capable of storing and retrieving medical record information which reconcile physicians' desires for maintaining a format of unstructured medical information with database requirements for highly structured data storage, these systems fail to provide an infrastructure for the efficient transmission, use and security protection of the data.
Some approaches have been based on the development of categorical data structures and descriptive vocabularies that require translation of medical information into highly structured abstractions. This approach is problematic due to the enormous size of the overall translation task, the inability to accurately code all of the information contained within the free-text portion of the record, and the fact that normalizing data introduces additional abstraction, which may devalue its clinical worth.
Other approaches provide a full text database with a metadata header abstracting portions of the data record. However, searching this metadata may be difficult, and the existence of this metadata outside of the record itself may impair patient privacy. On the other hand, failure to index the data makes searching for a record difficult.
There has been a longstanding trend to computerize various forms of information, in order to make this information more accessible, to facilitate transmission, and to facilitate storage thereof. However, in the case of medical information, this has resulting in significant concerns for the privacy and security of the information. Indeed, while the information technically cannot be disclosed without the consent of the patient, since at least the time of Hippocrates, the medical institutions that hold this information guard it jealously. Thus, it may be difficult to obtain collaboration between medical institutions in the ongoing treatment of a patient. While there are important legitimate uses for medical data, there is also a substantial possibility for abuse of the data and the associated trust relationship between patient and medical care provider represented therein. In fact, recent federal legislative and regulatory initiatives (US Department of Human Health Services) seek to regulate the creation, use, transmission and maintenance of medical information databases, and indeed may impose criminal sanctions.
The regulatory activities define mandates without defining implementing technologies nor providing funding for the burden imposed on federal, state, local and private entities.
Typically, in a hospital medical information system, information relating to patients in a database is generated and used by users having a variety of roles, including doctors of various specialties, nurses, therapists of various types, paraprofessionals, clinical laboratories, and bedside devices (which may automatically generate or receive patient information). In addition, medical information is used, but typically not generated by, pharmacies, administrators, lawyers, insurers or payors, and other parties.
Medical databases present a particular problem that has been difficult to address. On one hand, database architects seek to provide indexing of key fields of the database, allowing efficient retrieval. On the other hand, such indexes necessarily include information derived from the record. Thus, the existence of an index poses a security and privacy breach risk. One way to address this issue, as proposed in U.S. Pat. No. 5,832,450, is to avoid indexing, but rather to provide information contained only in the database record. While this preserves privacy, it makes locating a database record other than by patient identifier, or its accession identifier, very difficult.
Another method used to address this problem is the maintenance of anonymous medical records in addition to patient-specific records. Thus, a search for a record other than by patient identifier may be performed, but typically not for the treatment of the patient. Such techniques are useful in academic exercises. Often, the anonymization process is imperfect, or very costly.
One scheme for increasing the portability of medical records is to provide personal data storage devices, for example in credit card format optical storage medium. These devices, however, present a security risk, since it cannot be presumed that the patient will be able to provide consent to the use of the information when required; thus, access controls must necessarily be compromised. Further, the information carrier can be lost or destroyed.
Because of the many types of caregivers, the idea of role-based access has arisen; basically, medical professionals of different types will require access to various subsets of the medical record. For example, typically the primary care physician and certain consults will require full access.
Traditionally, medical records maintenance and upkeep have imposed a significant cost and burden. While enterprises have evolved for outsourcing of certain functions, these enterprises have not particularly represented the interests of the patient, and rather serve as agents for the medical record custodian.
One method for ensuring data security is encryption. Cryptographic systems employ secret keys to protect information. Key management systems for cryptographic keys are well known. One such system, by Entrust Technologies Limited is currently commercially available.
Media Content
One particular area of digital rights management involves the use and distribution of digital media, e.g., consumer entertainment in the form of audio, video, multimedia, and/or text. Computer software may be considered another form of media. In these systems, one significant purpose for digital distribution is to reduce the costs and increase convenience involved in communicating the information to the user. This, in turn, tends to reduce the actual or perceived cost of “consumption” of the media to the user. However, in a digital network, the content is readily replicated, and thus the owner risks loss of control and compensation. In order to retain control, the media is typically distributed in encrypted form. Alternatively, the media itself is unencrypted, but the available hardware for using the digital media requires permission for operation, in effect blocking the decoding to a usable form.
The existing systems seek to create an obligation by the recipient on behalf of the owner, to abide by the restrictions imposed. This obligation can be voluntarily or mandatory.
While on-line systems for browsing media may maintain privacy and confidentiality, on-line commercial transactions often waive privacy and confidentiality, by requiring disclosure of identity, electronic billing information, bill address, shipping address, and the association with the item being purchased. Further, databases are maintained which may then impair future privacy by associating the user's IP address or providing a browser cookie, which identify the user or associate with a prior detailed database record.
Thus, electronic commerce has the ability to eliminate the anonymity of cash. This is especially troublesome with respect to media content preferences and consumption, since these preferences and consumption were heretofore considered private.
Existing systems do not create a trust infrastructure, wherein an independent third party represents and serves as agent for the content owner, implementing a set of restrictive rules for use of the content, and interacting and servicing customers. In fact, these systems adopt a more traditional retail model, with independent resellers, or employ related entities.
In fact, the use of an intermediary, such as an Internet proxy server or payment service can protect user privacy. However, the Internet proxy cannot anonymize a direct electronic purchase transaction. Thus, existing intermediaries do not act in a representative capacity for the content owner, and do not integrate content management functions.
Personal Demographic Information
As stated above, many different electronic commerce systems have access to, and indeed maintain profiles and other information on customers. Even non-electronic retailers have adopted techniques to provide the same types of information, for example, supermarkets that provide “club cards”, and otherwise may track credit/debit card purchases.
Retailers seek to gain valuable insight into their business and consumer habits and responsiveness to promotions by profiling consumers, and forming personal profiles and/or aggregate profiles from this information. Since the information often includes purchase information, the profiles are personally identifiable. Further, user profiling must be associated with the same user on an ongoing basis.
Intermediaries
In fact, the use of an intermediary, such as an Internet proxy server or payment service, can protect user privacy. However, the Internet proxy cannot anonymize a direct electronic purchase transaction, and use of an intermediary service results in a loss of rights with respect to credit card transactions.
Thus, existing intermediaries do not act in a representative capacity for the content owner, and do not integrate content management functions.
Computer Security
Computer security is currently an important issue. With the proliferation of computers and computer networks into all aspects of business and daily life—financial, medical, education, government, and communications—the concern over secure file access is growing. Using passwords is a common method of providing security. Password protection and/or personal identification numbers are employed for computer network security, automatic teller machines, telephone banking, calling cards, telephone answering services, houses, and safes. These systems generally require the knowledge of an entry code that has been selected by a user or has been preset. Preset codes are sometimes forgotten, as users have no reliable method of remembering them. Writing down the codes and storing them in close proximity to an access control device (i.e. the combination lock) results in a secure access control system with a very insecure code. Alternatively, the nuisance of trying several code variations renders the access control system more of a problem than a solution.
Password systems are known to suffer from other disadvantages. Usually, a user specifies passwords. Most users, being unsophisticated users of security systems, choose passwords that are relatively insecure, for example words that are found in a dictionary or within a personal wallet. As such, many systems protected by passwords are easily accessed through a simple (possibly automated) trial and error process.
Biometric authentication schemes, for example fingerprint, voice, iris, retina, hand, face, or other personal characteristics, may be used to identify a user. These either do not require a password or access code, or are used in conjunction with such passwords or codes, and may provide substantial system security. A biometric identification system accepts unique biometric information from a user and identifies the user by matching the information against information belonging to registered users of the system.
Though biometric authentication is a secure means of identifying a user, it is difficult to derive encryption keys from the information. In the first place, the information is different each time it is presented to a biometric information input device. Secondly, the biometric information is retrievable through, for example, extraction of latent fingerprints, and is therefore subject to “spoofing”. When an encryption key is derived directly from biometric information, the extraction of latent biometric information or the interception of biometric information may allow others to derive the encryption key. Thirdly, since some biometric information is substantially unchanging, it is not well suited to encryption because once an encryption key or biometric authentication system is broken (i.e., knowledge exists to circumvent the security provided by the scheme), and its use should be discontinued; however, changing the biometric information on demand is a difficult procedure. In order to overcome this problem, key management systems exist wherein a plurality of keys are stored in a secure key database. A user authentication, such as a biometric authentication, is used to access the secure key database. Often the database is encrypted with a key that is accessible through user authentication.
Key management systems are well known. One such system, by Entrust Technologies Limited is currently commercially available. Unfortunately, current key management systems are designed for installation on a single computer and for portability between computers having a same configuration. As such, implementation of enhanced security through installation of biometric input devices is costly and greatly limits portability of key databases. Alternatively, password based protection of key databases is undesirable because of the inherent insecure nature of most user selected passwords. For example, when using Entrust® software to protect a key database, the database is portable on a smart card or on a floppy disk. The portable key database is a duplicate of the existing key database. User authentication for the portable key database is identical to that of the original key database. The implications of this are insignificant when password user authentication is employed; however, when biometric user authentication such as retinal scanning or fingerprint identification are used, the appropriate biometric identification system is required at each location wherein the portable key database is used. Unfortunately, this is often not the case. In order to avoid this problem, organizations employ password access throughout and thereby reduce overall security to facilitate portability. Alternatively, members of an organization are not permitted to travel with portable key databases and thereby have reduced mobility and are capable of performing fewer tasks while outside the office. This effectively counters many of the benefits available in the information age. Key databases, once created, should not decrypted, except during emergencies. This prevents keys from becoming vulnerable by existing in their decrypted state.